Post on 03-Apr-2018
2013 Internal Audit Capabilities and Needs Survey ReportAssessing the Top Priorities for Internal Audit Functions
Introduction
“ IN THE STRUGGLE FOR SURVIVAL, THE FITTEST WIN OUT AT THE EXPENSE OF THEIR RIVALS BECAUSE
THEY SUCCEED IN ADAPTING THEMSELVES BEST TO THEIR ENVIRONMENT.”
Charles Darwin
The uncertainty raging in the current business environment is arising largely from change. Although change stems from multiple sources – transformational technologies such as social media as well as regulatory and rulemaking bodies, for example – it all seems to be coming at increasingly breakneck speeds.
Rapid changes in seemingly every corner of the enterprise pose new challenges for internal audit functions. Not only must internal audit departments keep pace by continually broadening and sharpening their understanding of new business developments, but they also must apply rigor-ous and systematic scrutiny to moving targets such as emerging risks, existing business processes that continue to evolve, as well as entirely new business processes forming as the result of external changes. Further, an ever-increasing set of regulatory and compliance requirements has internal audit expanding its scope and assurance responsibilities.
For example, how can a midsize company with nascent operations in Latin America, West Africa or the Far East ensure that its local sales teams do not succumb to bribery practices that may flourish in pockets of those geographies? How can a large multinational corporation be certain its customer data remains protected, even as it zips around the world in employees’ pockets? How does the audit committee of a fast-growing business know that its data center in Baton Rouge is safe from hackers on another continent?
These types of questions quickly find their way to chief audit executives (CAEs) and their teams. The evolving and risky nature of social media technology in organizations, which is the subject of a special section in the latest edition of Protiviti’s Internal Audit Capabilities and Needs Survey, crys-tallizes the sort of fast-moving change – and attendant uncertainty – that today’s internal auditors must address.
As we detail in our report, coping with uncertainty, responding to rapidly changing business processes and establishing more collaborative relationships with colleagues emerge as major themes in this year’s study. Among the key findings:
• social media remains a top concern.� Understanding social media applications is a critical priority for internal auditors in the coming year. This reflects both the rapidly expanding use of social media throughout the enterprise and the risks inherent in social media (a topic we cover in the special section of our report beginning on page 1). Of note, these same issues and risks apply to other emerging technologies that organizations are beginning to employ.
• Changes from regulatory and rulemaking bodies are garnering attention.� Upcoming changes such as COSO’s updated Internal Control – Integrated Framework and recently enacted auditing standards from The Institute of Internal Auditors (IIA), such as Standards 1110, 2010.A1, 2010.A2 and 2450, are challenging internal auditors to keep pace with new requirements and resulting changes in auditing practices and processes.
• The nature of fraud is changing – as are the ways internal auditors address it.� As compa-nies rely more heavily on so-called “big data” – both internally and externally generated – to drive decision-making, new forms of fraud are targeting this information. Internal auditors recognize these new fraud risks and are looking to apply leading-edge techniques (e.g., data analytics and continuous monitoring) as part of their fraud prevention, detection and mitigation activities.
• There is continued interest in leveraging technology-enabled auditing.� As in previous years of our study, data analysis tools, computer-assisted auditing tools, and continuous auditing and monitoring approaches rank as top areas in need of improvement for CAEs and internal audit professionals alike.
• internal auditors aim to think more strategically, collaborate more effectively.� The need to enhance strategic thinking capabilities and opportunities reflects the increasing regularity with which internal audit is being called on to share risk-related insight and analysis prior to strategic decisions being made. Other areas cited as in need of improvement, such as persuasion, nego-tiation and dealing with confrontation, demonstrate an understanding among internal auditors of the need to work closely with colleagues throughout the company to mitigate risks within increasingly complex and cross-functional business processes.
More than 1,000 respondents participated in this year’s study, including CAEs along with internal audit directors, managers and staff. These professionals rated more than 150 internal audit skill and knowledge areas in the study’s three standard categories – General Technical Knowledge, Audit Process Knowledge, and Personal Skills and Capabilities – and responded to questions in our special section, Social Media Risk and the Audit Process.
The internal audit executives and professionals who participated in our survey represent virtually all industry sectors. The largest segments are from manufacturing, financial services and healthcare. More than a third of respondents are with publicly traded companies, the others being from private, government and nonprofit organizations. (Please note that, upon request, we can provide customized reports based on the results of respondents from specific groups – industry, company size, etc.)
We are very appreciative of the time invested in this study by all of the respondents, as well as the positive feedback from the market about the survey findings and our insights. We are confident the results of this study will again be of interest to board members, chief executive officers, chief financial officers and chief information officers, along with the internal audit community. Based on feedback from these audiences, we will continue to update this annual study to reflect changes in the business and regulatory environments, as well as emerging trends affecting internal audit func-tions and professionals.
In closing, we want to express our appreciation to The IIA for sustaining and furthering its role as an outstanding global leader and advocate for our profession.
Protiviti March 2013
12013 Internal Audit Capabilities and Needs Survey Report
Social Media Risk and the Audit Process
Key Findings• Organizationalsocialmediauseisrisingandgrowingincreasinglyimportantfromarisk
managementstandpoint,yetformalprocessesforitremainararity.
• Theevaluationandmonitoringofsocialmediariskisorwillsoonbecomeakeypartofauditplans.
• Theprecisenatureoforganizationalsocialmediariskisrapidlychanging,whichgeneratesconfusionaswellasobstaclesinternalauditmustrecognizeandaddress.
Every year, Protiviti’s Internal Audit Capabilities and Needs Survey includes a special section that takes an in-depth look at a new or emerging area of internal audit. This year we focus on social media – a timely and important category for internal auditors. (As detailed in the next section of this report, survey respondents identify social media applications as the top “Need to Improve” area in the General Technical Knowledge category – see page 10.)
Due to its rapidly growing use throughout the enterprise, social media risk management expertise has quickly become a must-have capability within most internal audit functions. This section of the survey was designed to:
• Generate a snapshot of social media usage and management in organizations;
• Identify the ways in which the audit process currently addresses (and will soon address) social media risk; and
• Pinpoint the key obstacles internal audit encounters as it refines its understanding, assessment and monitoring of social media risk.
Social Media Use on the Rise; Process in Infancy
Social media platforms and applications have been implemented rapidly by most organizations over the past two years. However, the precise nature of social media use within companies, along with its new and rapidly evolving nature, remains rife with uncertainty. New ways to utilize social media crop up weekly, and new social media tools seem to hit the market just as frequently.
For internal auditors, the evolving use of social media within the enterprise presents significant chal-lenges from a risk management standpoint. An initial step in addressing uncertainty surrounding social media risks involves gaining a better and clearer understanding of its use throughout the organization – and the degree to which that use is, or is not, governed by a formal strategy and social media policy.
Does your organization have the following in place?
Activity Yes No
Social media strategy 53% 47%
Social media policy 57% 43%
How does your organization currently leverage social media technology for the following?
Activity Yes No
External communication 64% 36%
Internal communication 44% 56%
2 2013 Internal Audit Capabilities and Needs Survey Report
Among the notable survey findings in these areas (as detailed in the accompanying tables and charts):
• 64 percent of companies leverage social media for external communication.
• 44 percent leverage social media for internal communication.
• Social media use may be on the rise, but formalized processes to manage it are in their infancy – 76 percent of respondents place the current state of their organization’s social media processes at one of the two lowest stages of a five-stage capability maturity model.
If your organization has a social media policy, which of the following areas does it address?*
100%
90%
80%
70%
60%
50%
40%
30%
20%
10%
0%
Disclosure ofcompany
information
Employeetraining
Other
90%
Disclosure ofemployee
information
73%
Approved use ofsocial mediaapplications
70%
Ethical use ofsocial media
76%
Informationsecurity
70%
38%
3%
Organization’spurpose in using
social media
56%
Approved use ofcommunity
forums
47%
* Multiple responses permitted
Using the following Capability Maturity Model (adapted from the Carnegie Mellon Institute), how would you rate the current state of your organization’s social media process?
0% 10%5% 20% 30%15% 25% 35% 40% 45%
Managed State 10%
Defined State 13%
Repeatable State 33%
Initial State 43%
Optimized State 1%
32013 Internal Audit Capabilities and Needs Survey Report
Addressing Social Media in the Audit Process
The survey results suggest that social media risk will soon be a part of most audit plans: 55 percent of respondents report that the evaluation and auditing of social media risk is either included in the current audit plan or will be included in next year’s audit plan.
Is evaluating and auditing social media risk part of your audit plan?
45%
35%
25%
15%
5%
50%
40%
30%
20%
10%
0%
20%
35%
45%
No, and no plans toinclude it in the audit plan
Yes, it is included in ourcurrent year audit plan
No, but it will be includedin next year’s audit plan
Internal audit professionals note a number of compelling reasons for integrating social media risk evaluations into the normal flow of their work. From a risk management perspective, internal auditors indicate that social media use poses the highest level of risk in the form of:
• Brand and/or reputational damage
• Data security
• Regulatory and compliance violations
• Data leakage
• Viruses and malware
“ SOCIAL MEDIA RISK ISN’T VERY HIGH ON OUR PRIORITY LIST, WITH OTHER RISKS BEING MORE
SIGNIFICANT AND MITIGATING FACTORS IN PLACE THROUGH OUR MARKETING AND PR DEPARTMENT.”
Chief auDiT exeCuTive, miDsizeD TeChnology Company
4 2013 Internal Audit Capabilities and Needs Survey Report
On a scale of 1 to 10, with 10 representing the highest risk level and 1 indicating the lowest risk level, please rate the level of social media risk that each of the following areas poses to your organization.
0.0 2.01.0 4.0 6.03.0 5.0 7.0 8.0
Data leakage(employee personal information)
5.7
Data security (company information) 6.7
Employee defamation 5.1
Brand/reputational damage 7.5
Loss of employee productivity 4.9
Interrupted business continuity 4.1
Viruses and malware 5.3
Loss of intellectual property 4.6
Financial loss 4.5
Regulatory and compliance violations 6.3
Of note, survey respondents whose organizations currently address social media risk indicate that doing so generates value. The four greatest sources of value from social media risk management include:
• Monitoring of reputation risk
• Earlier identification of issues, risks or control problems
• Improvements to overall business strategy
• Stronger regulatory compliance
“ AS A FINANCIAL INSTITUTION, OUR BIGGEST SOCIAL MEDIA RISKS RELATE TO ACCIDENTALLY
MENTIONING SOMEONE’S PERSONAL INFORMATION OR UPSETTING SOMEONE [WHO THEN USES]
SOCIAL MEDIA TO VENT ABOUT US.”
Chief auDiT exeCuTive, small finanCial serviCes insTiTuTion
52013 Internal Audit Capabilities and Needs Survey Report
Where do you currently perceive the greatest value for addressing social media risk to your organization?
0% 10%5% 25% 35%20%15% 30% 40% 45%
Overall business strategy 14%
Improved operational performance 7%
Earlier identification of issues,risks or control problems
21%
Cost recovery/improvement 2%
Other 1%
Monitor reputation risk 39%
Validation of controleffectiveness or failure
4%
Regulatory compliance 12%
Although just one out of five respondents reported that their current audit plan calls for evaluating social media risk, 49 percent said their organization currently addresses social media in risk assess-ment processes. This assessment work requires a high degree of collaboration across numerous functions and business units.
Does your organization address social media in its risk assessment process?
45%45%
35%
25%
15%
5%
50%
55%
60%
40%
30%
20%
10%
0%
Yes, it is addressedseparately from the overall
risk assessment process
Yes, it is addressedas part of the overall
risk assessment process
No, social media riskis not addressed
9%
40%
51%
6 2013 Internal Audit Capabilities and Needs Survey Report
According to the survey results, the functions of the company that play the most significant role in the assessment of social media risk include:
• Information technology
• Management and/or process owners
• Executive management
• Internal audit
• Line of business executives
Social Media Risk Management Obstacles
When asked to describe the effectiveness of their function’s and their organization’s management of social media risk, respondents appeared a bit uncertain. Such uncertainty can be mitigated by addressing the obstacles currently inhibiting internal audit’s involvement in the assessment of social media risk.
How effective is your organization at identifying/assessing/mitigating social media risk to an acceptable level?
50%
30%
10%
70%
60%
40%
20%
0%
23%
16% 15%
59%61% 62%
23% 23%
18%
Very effective Moderately effective Not effective
Mitigating
Assessing
Identifying
72013 Internal Audit Capabilities and Needs Survey Report
As noted previously, a majority of respondents reported their social media processes as relatively immature. Additionally, 45 percent indicated their organization does not evaluate social media risk as part of the audit plan (and has no plans to do so), and 84 percent of respondents rated their organiza-tion’s social media risk-assessment capability as “not effective” or just “moderately effective.”
At the same time, the results suggest internal audit functions possess sufficient resources and skills to address social media risk.
Are there specific areas of social media risk that you are not able to address sufficiently in your audit plan due to lack of resources/skills?
0% 20%10% 50% 70%40%30% 60% 80% 90%
No 81%
Yes 19%
So, why aren’t more internal audit functions achieving greater levels of success integrating social media risk management processes and activities into their work?
The answer points to several obstacles that require attention. The first, and perhaps overarching, obstacle is clarity: 81 percent of respondents indicated that their internal audit functions possess suffi-cient resources and skills to address social media risk, yet they also identified “inadequately trained staff” as the top inhibitor of internal audit’s deeper involvement in assessing social media risk.
This confusion can be eliminated by developing a more effective understanding of the skills that social media risk identification, assessment and mitigation require; namely, intensive internal collaboration (with IT, executive management, business process owners and more) as well as with external experts.
Armed with this understanding, internal audit can more effectively address other inhibitors, includ-ing but not limited to confusing perceptions of social media risk throughout the organization, lack of management support, inadequate technology, and lack of IT support.
“ I AM NOT SURE EVERYONE IS TRAINED TO UNDERSTAND THE RISKS OF SOCIAL MEDIA.”
DireCTor of auDiTing, miDsize hospiTaliTy Company
8 2013 Internal Audit Capabilities and Needs Survey Report
What inhibits internal audit’s involvement in assessing social media risk?*
0% 10%5% 20% 30%15% 25% 35%
Lack of IT support
Data availability
Perceived cost
HR policies
Other
Inadequately trained staff
Perceived risk
Lack of management support
Inadequate technology
14%
11%
18%
17%
27%
No inhibitors 22%
30%
30%
10%
6%
“ LACK OF TIME TO MONITOR SOCIAL MEDIA RISK IS AN ISSUE – OUR TEAM IS TOO LEAN TO ADDRESS
THIS NEW RISK.”
Chief auDiT exeCuTive, large manufaCTuring Company
* Multiple responses permitted
92013 Internal Audit Capabilities and Needs Survey Report
10 2013 Internal Audit Capabilities and Needs Survey Report
General Technical Knowledge
Key Findings • Duetotheirhighlydynamic,newandpotentiallyriskynature,socialmediaapplications
rankasthetoptechnicalknowledgeareainneedofimprovement.
• Internalauditfunctionsviewseveralrecentlyenactedauditingstandardareasastoppriorities–likelyinpreparationfortheupcomingreleaseofCOSO’supdatedInternalControl–IntegratedFramework.
• Theuseofdataanalysistechnologies(applicationsthatcanextractactionableinsightsfromanorganization’sgrowingtroveofbigdata)isakeypriority.
• Othernotableprioritiesincludefrauddetectionandpreventionaswellasaddressingrisksrelatedtocloudcomputing.
Overall Results, General Technical Knowledge
“Need to Improve” Rank
Areas Evaluated by RespondentsCompetency (5-pt. scale)
1 Social media applications 2.7
2(tie)
Recently enacted IIA Standard – Functional Reporting Interpretation (Standard 1110)
3.1
Recently enacted IIA Standards – Audit Opinions and Conclusions (Standards 2010.A2 and 2410.A1)
3.1
3(tie)
GTAG 16 – Data Analysis Technologies 2.8
Recently enacted IIA Standard – Overall Opinions (Standard 2450) 3.1
Cloud computing 2.7
4(tie)
The Guide to the Assessment of IT Risk (GAIT) 2.7
GTAG 13 – Fraud Prevention and Detection in an Automated World 2.8
ISO 27000 (information security) 2.4
COSO Internal Control Framework (DRAFT 2012 version) 2.9
5(tie)
Practice Guide – Assessing the Adequacy of Risk Management 3.0
GTAG 6 – Managing and Auditing IT Vulnerabilities 2.8
Fraud risk management 3.4
Respondents were asked to assess, on a scale of one to five, their competency in 51 areas of techni-cal knowledge important to internal audit, with one being the lowest level of competency and five being the highest. For each area, they were then asked to indicate whether they believe their level of knowledge is adequate or requires improvement, taking into account the circumstances of their
112013 Internal Audit Capabilities and Needs Survey Report
“ MANAGEMENT APPEARS TO HAVE NEITHER AN APPRECIATION NOR A POLICY FRAMEWORK IN PLACE TO
ADDRESS SOCIAL MEDIA RISK.”
Chief auDiT exeCuTive, small healThCare Company
organization and industry. (For the areas of knowledge under consideration, see pages 12-13.) Figure 1 depicts a comparison of “Need to Improve” versus “Competency” ratings in a General Technical Knowledge landscape.
Similar to results from our 2012 survey, social media applications remain a top concern for internal auditors in all industries. The use of these applications within enterprises is not new; many organi-zations began using various forms of social media as long as four to five years ago (though widespread use began in the past two years). The highly dynamic nature of social media offers many new and promising opportunities for organizations, but it also presents a host of new security, privacy, legal and reputation risks for internal audit to recognize, understand and monitor. Applying a rigorous and regimented process for identifying and monitoring social media-related risks remains a difficult and continually changing challenge for the internal audit function. Meeting such a challenge requires effective collaboration with business partners throughout the company to ensure that appropriate social media usage policies are developed, constantly updated, understood and adhered to by employees.
Other, similarly dynamic knowledge areas inside and outside the enterprise also figure as top “Need to Improve” areas for internal auditors. Internally, harvesting big data to strengthen numerous business processes, including those in the internal audit function, remains a key challenge. By increasing their knowledge and use of data analysis technologies (via guidance provided in The IIA’s GTAG 16, for example), internal auditors can provide assurance more effectively – and efficiently.
Cloud computing represents another internal area of significant focus. Cloud platforms and appli-cations create new risks that internal audit must – in partnership with executive management and business owners – identify, assess, monitor and mitigate appropriately.
Externally, the updated Internal Control – Integrated Framework from the Committee of Sponsor-ing Organizations of the Treadway Commission (COSO) is expected to be released in final form this year. The exact scope of these changes is unknown, but the revised framework is looming large for most internal audit functions. Leading up to the unveiling of the updated framework, internal auditors are looking to increase their knowledge and understanding of several recently enacted standards from The IIA (e.g., Standards 1110, 2010.A2, 2410.A1 and 2450) while also looking to improve their fraud prevention and detection knowledge.
12 2013 Internal Audit Capabilities and Needs Survey Report
Figure 1: General Technical Knowledge – Perceptual Map
NEED TO IMPROVELOWER HIGHER
LEV
EL O
F C
OM
PETE
NC
YLO
WER
HIG
HER
21
11
1
23
4
5
67
8
9
10
17
1820
51
50
48
47
46
45
44
42
41
40
38
37
36
35
34
33
32
30
31
394349
12
13
1415
16
19
2223
2425
2627
2829
Number General Technical Knowledge Number General Technical Knowledge
1 Social media applications 15 IT governance
2Recently enacted IIA Standard – Functional Reporting Interpretation (Standard 1110)
16Practice Guide – Measuring Internal Audit Effectiveness and Efficiency
3Recently enacted IIA Standards – Audit Opinions and Conclusions (Standards 2010.A2 and 2410.A1)
17 ISO 31000 (risk management)
4 GTAG 16 – Data Analysis Technologies 18 GTAG 3 – Continuous Auditing
5Recently enacted IIA Standard – Overall Opinions (Standard 2450)
19GTAG 5 – Managing and Auditing Privacy Risks
6 Cloud computing 20 GTAG 12 – Auditing IT Projects
7 The Guide to the Assessment of IT Risk (GAIT) 21GTAG 14 – Auditing User-developed Applications
8GTAG 13 – Fraud Prevention and Detection in an Automated World
22 GTAG 15 – Information Security Governance
9 ISO 27000 (information security) 23Practice Guide – Auditing the Control Environment
10COSO Internal Control Framework (DRAFT 2012 version)
24 GTAG 4 – Management of IT Auditing
11Practice Guide – Assessing the Adequacy of Risk Management
25 GTAG 8 – Auditing Application Controls
12GTAG 6 – Managing and Auditing IT Vulnerabilities
26GTAG 2 – Change and Patch Management Controls
13 Fraud risk management 27 GTAG 7 – IT Outsourcing
14 GTAG 17 – Auditing IT Governance 28 GTAG 11 – Developing the IT Audit Plan
132013 Internal Audit Capabilities and Needs Survey Report
29 GTAG 9 – Identity and Access Management 41International Financial Reporting Standards (IFRS)
30ISO 9000 (quality management and quality assurance)
42Practice Advisory 1312-3 – Independence of External Assessment Team in the Private Sector
31 GTAG 10 – Business Continuity Management 43 Extensible business reporting language (XBRL)
32 ISO 14000 (environmental management) 44Country-specific enterprise risk management framework
33 COBIT 45Practice Advisory 1312-4 – Independence of the External Assessment Team in the Public Sector
34 COSO Enterprise Risk Management Framework 46 FASB Accounting Standards Codification™
35
Practice Guide – Assisting Small Internal Audit Activities in Implementing the International Standards for the Professional Practice of Internal Auditing
47Evaluating executive compensation risk of Regulation S-K
36 GTAG 1 – Understanding IT Controls 48 Corporate social responsibility
37 Six Sigma 49Board risk oversight (SEC Item 407(h) of Regulation S-K)
38Reporting on Controls at a Service Organiza-tion – SSAE 16/AU 324 (replaces SAS 70)
50COSO Internal Control Framework (1992 version)
39Practice Advisory 2050-3 – Relying on the Work of Other Assurance Providers
51Standards for the Professional Practice of Internal Auditing (IIA Standards)
40 Fair value accounting
Key Questions to Consider• Doyourorganizationandyourinternalauditfunctionconductongoingassessmentsof
potentialrisksrelatedtotheuseofnewandexistingsocialmediaapplications?
• Doestheorganizationhaveasocialmediastrategysupportedbyasocialmediapolicy?Doesinternalauditplayacentralroleinmonitoringandensuringcompliancewiththispolicy?
• Arethereopportunitiestodeploynewapplicationstomonitoremployees’andtheorganization’ssocialmediaactivities?
• AreyoukeepingapprisedofcurrentandrelevantGTAGstandards?
• Towhatextentisyourfunctionpreparedtoaddress,inanagileandproactivemanner,forthcomingchangestotheCOSOInternalControl–IntegratedFramework?
• Isyourandyourfunction’sknowledgeofdataanalysistechnologiessufficienttoreviewanddeploydataanalysisapplicationsthatcangreatlystrengthenthebreadthandeffi-ciencyofinternalaudit’swork?
• Cannewdataanalysisandcontinuousmonitoringtoolsbeusedtofortifyfraudpreven-tionanddetectionefforts?
• Asmorecloudsolutionsaredeployed,isinternalauditmaintainingaclearunderstand-ingofcloud-associatedrisksandhowtheyshouldbemanaged?
14 2013 Internal Audit Capabilities and Needs Survey Report
Overall Results, General Technical Knowledge – Three-Year Comparison
2013 2012 2011
Social media applications Social media applications
IFRS
GTAG 13 – Fraud Prevention and Detection in an Automated World
Recently enacted IIA Standard – Functional Reporting Interpretation (Standard 1110)
Cloud computing ISO 31000Recently enacted IIA Standards – Audit Opinions and Conclusions (Standards 2010.A2 and 2410.A1)
GTAG 16 – Data Analysis Technologies
GTAG 13 – Fraud Prevention and Detection in an Automated World
Penalties in Administrative Proceedings (§ 929P)
Recently enacted IIA Standard – Overall Opinions (Standard 2450)
Cloud computing
The Guide to the Assessment of IT Risk (GAIT)
Fraud risk management Six Sigma
GTAG 13 – Fraud Prevention and Detection in an Automated World
ISO 27000 (information security)
COSO Internal Control Framework (DRAFT 2012 version)
Practice Guide – Assessing the Adequacy of Risk Management
GTAG 16 – Data Analysis Technologies
Hedging by Employees and Directors (§ 955) GTAG 6 – Managing and Auditing IT
Vulnerabilities
Fraud risk management GTAG 15 – Information Security Governance
152013 Internal Audit Capabilities and Needs Survey Report
Focus on Results by Company Size
Social media applications rank among the top three priorities for companies regardless of size, an indicator that the use of these tools requires more rigorous control and more consistent risk moni-toring. Internal auditors within midsize companies express a slightly greater need to improve their knowledge of recently enacted IIA Standards.
Company Size Results, General Technical Knowledge
Small < US$1B Medium US$1B-9B* Large > US$10B
Social media applicationsRecently enacted IIA Standard – Functional Reporting Interpretation (Standard 1110)
Social media applications
GTAG 16 – Data Analysis TechnologiesRecently enacted IIA Standards – Audit Opinions and Conclusions (Standards 2010.A2 and 2410.A1)
Practice Guide – Measuring Internal Audit Effectiveness and Efficiency
IT governance
Recently enacted IIA Standard – Overall Opinions (Standard 2450)
Recently enacted IIA Standards – Audit Opinions and Conclusions (Standards 2010.A2 and 2410.A1)
Social media applications
Recently enacted IIA Standard – Overall Opinions (Standard 2450)
Practice Guide – Assessing the Adequacy of Risk Management
The Guide to the Assessment of IT Risk (GAIT)
Cloud computing ISO 27000 (information security)
GTAG 13 – Fraud Prevention and Detection in an Automated World
ISO 31000 (risk management)
GTAG 3 – Continuous Auditing
GTAG 14 – Auditing User-developed Applications
The Guide to the Assessment of IT Risk (GAIT)
* Upon request, Protiviti can provide additional reporting in this broad category.
16 2013 Internal Audit Capabilities and Needs Survey Report
Focus on Chief Audit Executives
The responses from CAEs are consistent with the overall results; it is important to note that social media applications rank as the highest “Need to Improve” area among internal audit leadership.
CAE Results, General Technical Knowledge
“Need to Improve” Rank
Areas Evaluated by RespondentsCompetency(5 pt. scale)
1 Social media applications 2.7
2Recently enacted IIA Standard – Functional Reporting Interpretation (Standard 1110)
3.2
3 COSO Internal Control Framework (DRAFT 2012 version) 3
4Recently enacted IIA Standards – Audit Opinions and Conclusions (Standards 2010.A2 and 2410.A1)
3.2
5(tie)
Cloud computing 2.7
ISO 27000 (information security) 2.5
Key Questions for CAEs:• AreexpectationsofhowITrisksaremanagedandmonitoredconsistentamongthe
CAE,CIOandallotherC-suiteandbusinessunitexecutives?
• Isthereasufficientlevelofawareness–insidetheITfunctionaswellasthroughouttheentireorganization–oftherisksthatsocialmediaapplicationspose?
• Doestheinternalauditfunctionrecognizetheimportanceofvigilantlymonitoringrisksrelatedtotheintroductionofothernewtechnologies–suchascloudcomputing,mobilecommerceandsmartdevices–viatheITfunctionaswellasnewchannels(e.g.,individualemployeesandthemarketingfunction)?
• DoyourC-levelexecutivesknowthepotentialtechnologyrisksyourorganizationfaces,specificallythoserelatedtothedeploymentand/oruseofnewertechnologies?
• DoestheinternalauditfunctionconductaspecificITauditriskassessmentwhenformulatingtheoverallauditplan?
• Aresocialmediariskevaluationsincludedintheauditplan?
• Doestheinternalauditfunctionpossesstheexpertisenecessarytomonitorandmanagenewandemergingtechnologyriskseffectively?
172013 Internal Audit Capabilities and Needs Survey Report
• Doesyourinternalauditdepartmenthaveaprocessforremainingcurrentonthegrowingnumberofregulatorychangesaswellaschangesrelatedtoauditing,riskmanagement,andrelatedrulesandguidelines?
• Doesthelevelofcollaborationamonginternalauditandtherestoftheorganizationfostereffectiverelationshipsduringauditingandadvisoryactivitiesaswellasanongoingtwo-waydialogue?
CAE Results, General Technical Knowledge – Three-Year Comparison
2013 2012 2011
Social media applications Social media applications IFRS
Recently enacted IIA Standard – Functional Reporting Interpretation (Standard 1110)
Cloud computingGTAG 13 – Fraud Prevention and Detection in an Automated World
COSO Internal Control Framework (DRAFT 2012 version)
GTAG 13 – Fraud Prevention and Detection in an Automated World
Penalties in Administrative Proceedings (§ 929P)
Hedging by Employees and Directors (§ 955)
Recently enacted IIA Standards – Audit Opinions and Conclusions (Standards 2010.A2 and 2410.A1)
GTAG 16 – Data Analysis Technologies
GTAG 14 – Auditing User-developed Applications
GTAG 15 – Information Security Governance
Cloud computingIFRS
GTAG 3 – Continuous Auditing
ISO 27000 (information security) GTAG 12 – Auditing IT Projects
18 2013 Internal Audit Capabilities and Needs Survey Report
192013 Internal Audit Capabilities and Needs Survey Report
Audit Process Knowledge
Key Findings • Areasoffraudriskmanagement,includingdetection,monitoring,preventionand
investigation,rankastopprioritiesforinternalauditexecutivesandprofessionals.
• DataanalysistoolsandCAATscontinuetobekeyareasinneedofimprovement.
Overall Results, Audit Process Knowledge
“Need to Improve” Rank
Areas Evaluated by RespondentsCompetency (5-pt. scale)
1(tie)
Data analysis tools – data manipulation 3.3
Fraud – monitoring 3.4
2(tie)
Auditing IT – new technologies 2.9
Fraud – fraud risk assessment 3.4
3(tie)
Data analysis tools – statistical analysis 3.3
Fraud – fraud detection/investigation 3.4
4(tie)
Fraud – management/prevention 3.5
Computer-assisted audit tools (CAATs) 3.1
5 Data analysis tools – sampling 3.4
Overall Findings
Respondents were asked to assess, on a scale of one to five, their competency in 42 areas of audit process knowledge, with one being the lowest level of competency and five being the highest. For each area, they were then asked to indicate whether they believe their level of knowledge is adequate or requires improvement, taking into account the circumstances of their organization and industry.(For the areas of knowledge under consideration, see pages 20-21.) Figure 2 depicts a comparison of “Need to Improve” versus “Competency” ratings in an Audit Process Knowledge landscape.
This marks the fourth consecutive year in which internal audit executives and professionals partici-pating in this survey identified data analysis tools and CAATs as top “Need to Improve” areas. This is not surprising when considering that an increasing number of organizations continue to assess how to manage and control their big data. Internal audit is playing a key role in working with management to assess and manage big data-related risks. Specifically, internal auditors must audit processes related to big data, such as data governance, classification and retention. At the same time, internal auditors are users of big data through their continuous auditing, continuous monitoring and data analytics-related activities.
Among the possible reasons why CAATs and data analysis tools consistently rank as top “Need to Improve” competencies in the survey:
• Developing and using data analytics requires a strong commitment as well as dedicated resources – this can be difficult for some internal audit shops to achieve, even though they understand the benefits.
20 2013 Internal Audit Capabilities and Needs Survey Report
• Many internal audit functions lack the necessary skills, or individuals with those skills are otherwise deployed.
• Company systems are too diverse and thus are not ideally suited to generating effective data analytics.
This year’s findings also include a familiar but newly important area of priority: fraud. The need to improve fraud risk assessment and monitoring – while continuing to improve auditing technologies and CAATs – points to the changing nature of fraud. As organizational use and dependence on information systems and the big data within these systems increase, fraudulent activity necessarily grows more technologically sophisticated. To keep pace in both preventing and detecting this type of fraud, internal auditors need to apply more sophisticated techniques and tools themselves.
The sustained drive to improve the use of CAATs and to apply new data analysis tools to audit-ing activities comes amid an ongoing evolution in the internal audit profession from manual, time-intensive auditing toward technology-enabled auditing practices. These leading, technology-aided processes facilitate reviews of virtually every transaction and piece of data on a continuing basis.
Figure 2: Audit Process Knowledge – Perceptual Map
NEED TO IMPROVELOWER HIGHER
LEV
EL O
F C
OM
PETE
NC
YLO
WER
HIG
HER
1915
212729
3132
3334
3536
37
4042
383941
30
1
2
3
4
5
67
8
9
10
1117
20
222426
28
18
12
1314
16
2523
Number Audit Process Knowledge Number Audit Process Knowledge
1 Data analysis tools – data manipulation 5 Data analysis tools – statistical analysis
2 Fraud – monitoring 6 Fraud – fraud detection/investigation
3 Auditing IT – new technologies 7 Fraud – management/prevention
4 Fraud – fraud risk assessment 8 CAATs
212013 Internal Audit Capabilities and Needs Survey Report
9 Data analysis tools – sampling 26 Auditing IT – computer operations
10 Fraud – auditing 27Operational auditing – cost effectiveness/cost reduction
11Quality Assurance and Improvement Program (IIA Standard 1300) – Ongoing Reviews (IIA Standard 1311)
28 Auditing IT – change control
12Quality Assurance and Improvement Program (IIA Standard 1300) – Periodic Reviews (IIA Standard 1311)
29Operational auditing – effectiveness, efficiency and economy of operations approach
13 Fraud – fraud risk 30 Presenting to the audit committee
14 Assessing risk – emerging issues 31Resource management (hiring, training, managing)
15 Enterprisewide risk management 32Assessing risk – process, location, transaction level
16 Statistically based sampling 33 Presenting to senior management
17Quality Assurance and Improvement Program (IIA Standard 1300) – External Assessment (IIA Standard 1312)
34 Report writing
18 Continuous auditing 35 Operational auditing – risk-based approach
19 Continuous monitoring 36 Assessing risk – entity level
20 Auditing IT – security 37 Planning audit strategy
21 Marketing internal audit internally 38 Developing recommendations
22 Auditing IT – program development 39 Interviewing
23 Self-assessment techniques 40 Audit planning – entity level
24 Auditing IT – continuity 41Audit planning – process, location, transaction level
25Top-down, risk-based approach to assessing internal control over financial reporting
42 Conducting opening/closing meetings
Key Questions to Consider:• Doesyourinternalauditfunction,andtheorganizationasawhole,recognizethe
valuethatcontinuousauditing,continuousmonitoring,andotherdata-analyticstoolsandcapabilitiesbringtotheinternalcontrolenvironment(andtointernalaudit’sadvisorycapabilities)?
• WhatCAATsanddata-analyticstoolsdoesyourinternalauditfunctioncurrentlyutilize?Arethereopportunitiestoupgradeexistingtoolsand/oraddnewtoolsinawaythatwillincreasetheeffectivenessandcost-efficiencyofinternalaudit’swork?
• Towhatdegreearemanagementandbusinessprocessownersinvolvedincontinuousauditingandcontinuousmonitoringefforts,andwherearethereopportunitiestostrengthenthiscollaboration?
• Towhatdegreedoexistingfraudprevention,detection,monitoringandinvestigationactivitiesaddressyourorganization’sspecificdata-andinformation-relatedfraudrisks?
• Doestheorganizationsufficientlyleveragedataanalysisandtechnology-enabledauditstoprevent,detect,monitorandinvestigatefraud,aswellastoensurecompliancewithapplicablelawsandregulations?
22 2013 Internal Audit Capabilities and Needs Survey Report
Overall Results, Audit Process Knowledge – Three-Year Comparison
2013 2012 2011
Data analysis tools – data manipulation Continuous auditing Continuous auditing
Fraud – monitoring
Auditing IT – new technologiesCAATs CAATs
Fraud – fraud risk assessment
Data analysis tools – statistical analysis Continuous monitoring
Data analysis tools – statistical analysis
Fraud – fraud detection/investigation
Fraud – management/prevention Data analysis tools – data manipulation
Data analysis tools – data manipulation CAATs
Data analysis tools – samplingData analysis tools – statistical analysis
Auditing IT – program development
Focus on Results by Company Size
The prioritization of data analysis tools, CAATs and fraud-related auditing activities is consistent across companies of all sizes. It is noteworthy that internal audit professionals at midsize companies rank quality assurance and improvement programs as well as ongoing reviews (related to IIA Stan-dards 1300 and 1311, respectively) as higher “Need to Improve” priorities than their counterparts at small and large organizations.
Company Size Results, Audit Process Knowledge
Small < US$1B Medium US$1B-9B* Large ≥ US$10B
Auditing IT – new technologies Fraud – monitoringData analysis tools – statistical analysis
Data analysis tools – data manipulation
Fraud – fraud risk assessment Data analysis tools – sampling
Auditing IT – security Fraud – management/prevention Auditing IT – new technologies
Fraud – fraud risk assessment Fraud – fraud detection/investigationContinuous auditing
Statistically based sampling
CAATs Quality Assurance and Improvement Program (IIA Standard 1300) – Ongoing Reviews (IIA Standard 1311)
CAATs
Data analysis tools – statistical analysis
Fraud – fraud detection/investigation
* Upon request, Protiviti can provide additional reporting in this broad category.
232013 Internal Audit Capabilities and Needs Survey Report
Focus on Chief Audit Executives
Feedback from CAEs in the survey mirrors the overall response. Clearly, data analysis tools, continuous auditing and monitoring, and fraud prevention are top priorities for internal audit functions in 2013.
CAE Results, Audit Process Knowledge
“Need to Improve” Rank
Areas Evaluated by RespondentsCompetency (5-pt. scale)
1 Data analysis tools – data manipulation 3.2
2 Auditing IT – new technologies 3.1
3 Data analysis tools – sampling 3.4
4 (tie)
CAATs 3.3
Data analysis tools – statistical analysis 3.3
5 Fraud – fraud risk assessment 3.7
Key Questions for CAEs:• Arethereprocessesinplacetodeterminewhethertheinternalauditfunction’sfraud
riskmanagementcapabilityiscurrentandsufficientlyrobustgiventheorganization’sever-increasingsupplyofdataanditsgrowingrelianceoninternalandexternaldata?
• Doestheinternalauditfunctionmaintainanongoingawarenessofnew(andoftendata-andinformation-related)fraudrisks?
• Aretheadoption,useandongoingmanagementofCAATsanddataanalysistoolsbytheinternalauditfunctiongovernedbyanoverarchingstrategyorphilosophy?
• Doexecutivemanagement,theboardandleadersthroughoutthebusinessunderstandthevalueofCAATsanddataanalysistoolsthattheinternalauditfunctionemploystostrengthenitscontributionstothebusiness?
• Doestheinternalauditfunctionhaveprocessesinplacetomonitor(andimprovewhennecessary)newandexistingauditingtechnology?
• Doestheinternalauditfunctionhaveprocessesinplacetomonitor(andimprovewhennecessary)thelevelofauditing-technologytrainingthatinternalauditorsreceive?
• Doesyourinternalauditfunctionhaveaccesstoqualifiedresourcesfromotherdepartments(and,insomecases,externalserviceproviders)toauditcomplexandcriticalIT-relatedareas?
24 2013 Internal Audit Capabilities and Needs Survey Report
CAE Results, Audit Process Knowledge – Three-Year Comparison
2013 2012 2011
Data analysis tools – data manipulation
CAATs Continuous auditing
Auditing IT – new technologies Continuous auditing
Data analysis tools – statistical analysis
Data analysis tools – data manipulation
CAATs
Data analysis tools – samplingData analysis tools – data manipulation
Data analysis tools – sampling
CAATs
Continuous monitoring Auditing IT – computer operationsData analysis tools – statistical analysis
Fraud – fraud risk assessment Data analysis tools – statistical analysis
Fraud – monitoring
“ AS AUDITORS, ANYONE WHO STATES THEY DO NOT NEED IMPROVEMENT IN TECHNOLOGY AND
INTERNAL CONTROLS IS IN DENIAL. THESE AREAS CHANGE TOO qUICKLY TO BECOME COMFORTABLE.”
Chief auDiT exeCuTive, small hospiTaliTy organizaTion
252013 Internal Audit Capabilities and Needs Survey Report
26 2013 Internal Audit Capabilities and Needs Survey Report
Personal Skills and Capabilities
Key Findings • Dealingwithconfrontation,negotiation,persuasion,high-pressuremeetingsand
presenting(publicspeaking)rankasthetopareasinneedofimprovement.
• Theseprioritiessuggestthatinternalauditseekstobecomeamorecollaborative,proactiveandstrategicfunctionfortheirorganizations.
Overall Results, Personal Skills and Capabilities
“Need to Improve” Rank
Areas Evaluated by RespondentsCompetency (5-pt. scale)
1 Dealing with confrontation 3.5
2(tie)
Negotiation 3.4
Persuasion 3.5
3(tie)
High-pressure meetings 3.5
Presenting (public speaking) 3.5
4 Strategic thinking 3.8
5(tie)
Developing other board committee relationships 3.2
Using/mastering new technology and applications 3.6
Leadership (within the internal audit profession) 3.5
Time management 3.7
Respondents were asked to assess, on a scale of one to five, their competency in 19 areas of personal skills and capabilities, with one being the lowest level of competency and five being the highest. For each area, respondents were then asked to indicate whether they believe their level of knowledge is adequate or requires improvement, taking into account the circumstances of their organization and industry. (For the areas of knowledge under consideration, see page 27.) Figure 3 depicts a comparison of “Need to Improve” versus “Competency” ratings in a Personal Skills and Capabilities landscape.
272013 Internal Audit Capabilities and Needs Survey Report
Figure 3: Personal Skills and Capabilities – Perceptual Map
NEED TO IMPROVELOWER HIGHER
LEV
EL O
F C
OM
PETE
NC
YLO
WER
HIG
HER
1
2
34
5
6
7
8
9
10
11
17
18
19
12
1314
1516
Number Personal Skills and Capabilities Number Personal Skills and Capabilities
1 Dealing with confrontation 11 Developing outside contacts/networking
2 Negotiation 12 Developing audit committee relationships
3 Persuasion 13 Creating a learning internal audit function
4 High-pressure meetings 14 Leadership (within your organization)
5 Presenting (public speaking) 15 Coaching/mentoring
6 Strategic thinking 16 Developing rapport with senior executives
7Developing other board committee relationships
17 Leveraging others’ expertise
8Using/mastering new technology and applications
18 Change management
9Leadership (within the internal audit profession)
19 Presenting (small groups)
10 Time management
28 2013 Internal Audit Capabilities and Needs Survey Report
The personal skills and capabilities internal auditors view as key areas in need of improvement this year reflect the functional and strategic challenges they confront. The transformative nature of social media in the enterprise along with ongoing economic volatility and the ever-quickening pace of business change appear to be motivating internal auditors to strengthen their relationships with the rest of the organization. Dealing with confrontation, negotiation, persuasion, high-pressure meetings and presenting (public speaking) each represents a way of improving working relation-ships and heightening credibility with other parts of the business.
Due to the increasingly complex and integrated nature of business and internal business process-es, fewer companies can afford the inefficiencies that occur when different functions, business units and teams operate in silos. Instead, more business processes rely on expertise and activities from different parts of the company – for example, quarterly financial reports may include partnering with IT to generate necessary data. And to monitor and analyze these business processes effectively, internal audit also must work in an increasingly collaborative fashion with virtually all areas of the organization.
This year’s results also point to strategic thinking as a critical priority. This suggests another posi-tive development within internal audit – namely, being called upon more frequently to provide insight and analysis before strategic decisions are made so that the ultimate decision already includes key considerations of the risks and opportunities that the internal audit function recognizes and tracks. If a company is considering expanding into a new region in Asia or Africa, for example, proactive internal audit functions can share insights that help their executive teams make more informed decisions. This role extends the internal audit function’s focus beyond internal controls and compliance, and it also requires the function to develop stronger board committee relation-ships – which, not coincidentally, figures as another key “Need to Improve” area in this category.
292013 Internal Audit Capabilities and Needs Survey Report
Key Questions to Consider• Doestheinternalauditfunctionrecognizetheincreasinglycross-functionaland
collaborativenatureofbusinessprocesses–andisitrespondinginkindbyseedingitsteamswithasufficientdepthandbreadthofexpertiseandimplementingasufficientlycollaborativeapproach?
• Doopportunitiesforrotationalwork,stretchassignments,trainingclassesandleadershipdevelopmentexistforinternalauditorssothattheycansharpenthepersonalskillsandcapabilitiesrequiredtofosterhighlycollaborativeworkingrelationshipswiththerestoftheenterprise?
• Aretheknowledgeandinsightsinternalauditaccumulatesthroughitsworkhelpingtoinformthestrategicdecision-makingprocesssothattheboard,executiveteamandorganizationarenotscramblingtoreacttomajorrisksafterstrategicdecisionshavebeenmade?
• Dointernalauditorshaveopportunitiestodevelopandstrengthentheirwrittenandverbalskillsinawaythathelpsthemcontinuallyimprovehowtheycommunicate,negotiate,persuadeanddealwithconfrontationintheirdailyactivities?
• Areinternalauditorsgettingopportunitiestoworkorpresentdirectlytokeyexecutives?
Overall Results, Personal Skills and Capabilities – Three-Year Comparison
2013 2012 2011
Dealing with confrontationDeveloping outside contacts/networking
Dealing with confrontation
Negotiation NegotiationPresenting (public speaking)
Persuasion Persuasion
High-pressure meetingsDealing with confrontation Negotiation
Presenting (public speaking)
Strategic thinking Presenting (public speaking) Leadership (within the IA profession)
Developing other board committee relationships
High-pressure meetingsDeveloping outside contacts/networking
Using/mastering new technology and applications
Leadership (within the IA profession)
Time management
30 2013 Internal Audit Capabilities and Needs Survey Report
Focus on Results by Company Size
The survey results are largely consistent across different company sizes with a notable exception. Internal audit functions in large companies view the development of board committee relationships (the audit committee as well as other committees), strategic thinking and leadership within the internal audit profession as higher priorities than respondents from small and midsize enterprises.
Company Size Results, Personal Skills and Capabilities
Small < US$1B Medium US$1B-9B* Large ≥ US$10B
Dealing with confrontation Dealing with confrontation
Developing other board committee relationships
Presenting (public speaking)
High-pressure meetings
Developing other board committee relationships
Developing audit committee relationships
Strategic thinkingPersuasion
Negotiation Negotiation
Leadership (within the IA profession)
Negotiation
Dealing with confrontation
Persuasion
Time management
Persuasion
Developing outside contacts/networking Coaching/mentoring
Presenting (public speaking)
Presenting (public speaking) High-pressure meetings Leadership (within your organization)
Strategic thinking
Time managementHigh-pressure meetings
Presenting (small groups)
Using/mastering new technology and applications
Using/mastering new technology and applications
* Upon request, Protiviti can provide additional reporting in this broad category.
312013 Internal Audit Capabilities and Needs Survey Report
Focus on Chief Audit Executives
Consistent with the results from previous years of this survey, a key difference between the responses from CAEs and those of the overall group is the view that, for CAEs, developing other board committee relationships and developing outside contacts/networking are top priorities. Also of note, using and mastering new technology and applications ranks as a high priority for CAEs, whereas this ranks lower in the overall response group.
CAE Results, Personal Skills and Capabilities
“Need to Improve” Rank
Areas Evaluated by RespondentsCompetency(5-pt. scale)
1 Dealing with confrontation 3.8
2 Developing other board committee relationships 3.5
3(tie)
Developing outside contacts/networking 3.7
Negotiation 3.7
Using/mastering new technology and applications 3.6
4 Time management 3.8
5(tie)
Persuasion 3.8
Strategic thinking 4.0
Key Questions for CAEs:• Doesyourorganization,andyourfunction,providesufficienttrainingand
developmentalopportunitiesforinternalauditorstostrengtheninterpersonalskills(e.g.,persuasion,negotiation,dealingwithconfrontation)sothattheycanhelptheinternalauditfunctioncultivatemorecollaborativerelationshipswithcolleaguesanddepartmentsthroughouttheorganization?
• Arethereopportunitiesforincreasingyourandyourteam’sexternalprofessionalactivities(e.g.,networking,participatinginprofessionalassociationevents,learningfrominternalauditthoughtleaders,etc.)inawaythatstrengthenstheinformationnetworkyourfunctioncantaptohelpimproveitspracticesandprocesses?
• Whatspecificstepsareyoutakingtocultivateandstrengthenrelationshipswiththedirectorswhoserveontheauditcommitteeoftheboardaswellasotherboardcommittees?
• Areyoumakingaconcerted,sustainedefforttomonitorrelevanttechnologyadvancementsanddevelopmentsinawaythathelpsensureyourfunctionisleveragingtechnologyinthemosteffectiveandcost-efficientmanner?
32 2013 Internal Audit Capabilities and Needs Survey Report
CAE Results, Personal Skills and Capabilities – Three-Year Comparison
2013 2012 2011
Dealing with confrontation Presenting (public speaking)Developing other board committee relationships
Developing other board committee relationships
Developing other board committee relationships
Developing outside contacts/networking
Developing outside contacts/networking
Time management
Developing outside contacts/networking
Persuasion
Leadership (within the IA profession) NegotiationUsing/mastering new technology and applicationsUsing/mastering new technology and
applications
Time managementNegotiation
Presenting (public speaking) Dealing with confrontation
PersuasionTime management Strategic thinking
Strategic thinking
“ CURRENTLY, INTERNAL AUDIT DOES NOT HAVE FACE TIME WITH ALL BOARD MEMBERS. THIS AREA
NEEDS TO BE IMPROVED.”
DireCTor of auDiTing, large manufaCTuring anD wholesale Company
332013 Internal Audit Capabilities and Needs Survey Report
Methodology and Demographics
More than 1,000 respondents submitted completed surveys for Protiviti’s Internal Audit Capabilities and Needs Survey, which was conducted from September through October 2012. The survey consisted of a series of questions grouped into four divisions: Social Media Risk and the Audit Process, General Technical Knowledge, Audit Process Knowledge, and Personal Skills and Capa-bilities. Participants were asked to assess their skills and competency by responding to questions concerning 199 topic areas. Respondents from the U.S. financial services, U.S. healthcare, and manufacturing industries were also asked to assess industry-specific skills (these findings are avail-able upon request). The purpose of this survey was to elicit responses that would illuminate the current perceived levels of competency in the many skills necessary to today’s internal auditors, and to determine which knowledge areas require the most improvement.
Survey participants also were asked to provide demographic information about the nature, size and location of their businesses, and their titles or positions within the internal audit department. These details were used to help determine whether there were distinct capabilities and needs among differ-ent sizes and sectors of business or among individuals with different levels of seniority within the internal audit profession. All demographic information was provided voluntarily by respondents.
Position
Chief audit executive 18%
Audit committee member 1%
Director of auditing 9%
IT audit director 2%
Corporate management 3%
Audit manager 22%
IT audit manager 3%
Audit staff 24%
IT audit staff 6%
Other 12%
Industry
Government/education/not-for-profit 12%
Manufacturing 10%
Financial services (U.S.) 9%
Healthcare (U.S.) – provider 9%
Financial services (Non-U.S.) 8%
CPA/public accounting/consulting firm 6%
Insurance (excluding healthcare payer) 4%
Technology 4%
Energy 3%
Retail 3%
Telecommunications 3%
Healthcare (U.S.) – payer 2%
Hospitality 2%
34 2013 Internal Audit Capabilities and Needs Survey Report
Services 2%
Utilities 2%
Distribution 1%
Healthcare (Non-U.S.) 1%
Life sciences/biotechnology 1%
Media 1%
Real estate 1%
Other 16%
Certification
Certified Public Accountant (CPA)/Chartered Accountant (CA) 38%
Certified Internal Auditor (CIA) 33%
Certified Information Systems Auditor (CISA) 19%
Certified Fraud Examiner (CFE) 10%
Certified Financial Services Auditor (CFSA) 3%
Certified Government Auditing Professional (CGAP) 2%
Other 45%
Size of Organization (by Gross Annual Revenue)
$20 billion or greater 11%
$10 billion - $19.99 billion 6%
$5 billion - $9.99 billion 9%
$1 billion - $4.99 billion 23%
$500 million - $999.99 million 13%
$100 million - $499.99 million 16%
Less than $100 million 22%
Type of Organization
Public 36%
Private 36%
Not-for-profit 14%
Government 11%
Other 3%
Organization Headquarters
North America 59%
Africa 11%
Asia-Pacific 11%
Europe 9%
Middle East 5%
South America 1%
Other 4%
Industry (continued)
352013 Internal Audit Capabilities and Needs Survey Report
About Protiviti
Protiviti (www.�protiviti.�com) is a global consulting firm that helps companies solve problems in finance, technology, operations, governance, risk and internal audit. Through our network of more than 70 offices in over 20 countries, we have served more than 35 percent of FORTUNE® 1000 and Global 500 companies. We also work with smaller, growing companies, including those look-ing to go public, as well as with government agencies.
Protiviti is proud to be a Principal Partner of The IIA. More than 700 Protiviti professionals are members of The IIA and are actively involved with local, national and international IIA leaders to provide thought leadership, speakers, best practices, training and other resources that develop and promote the internal audit profession.
Protiviti is a wholly owned subsidiary of Robert Half International Inc. (NYSE: RHI). Founded in 1948, Robert Half International is a member of the S&P 500 index.
Internal Audit and Financial Advisory
We work with audit executives, management and audit committees at companies of virtually any size, public or private, to assist them with their internal audit activities. This can include start-ing and running the activity for them on a fully outsourced basis or working with an existing internal audit function to supplement their team when they lack adequate staff or skills. Protiviti professionals have assisted hundreds of companies in establishing first-year Sarbanes-Oxley compliance programs as well as ongoing compliance. We help organizations transition to a process-based approach for financial control compliance, identifying effective ways to appropriately reduce effort through better risk assessment, scoping and use of technology, thus reducing the cost of compliance. Reporting directly to the board, audit committee or management, as desired, we have completed hundreds of discrete, focused financial and internal control reviews and control investigations, either as part of a formal internal audit activity or apart from it.
One of the key features about Protiviti is that we are not an audit/accounting firm, thus there is never an independence issue in the work we do for clients. Protiviti is able to use all of our consultants to work on internal audit projects – this allows us at any time to bring in our best experts in various functional and process areas. In addition, Protiviti can conduct an independent review of a company’s internal audit function – such a review is called for every five years under standards from The Institute of Internal Auditors.
Among the services we provide are:
• Internal Audit Outsourcing and Co-Sourcing
• Financial Control and Sarbanes-Oxley Compliance
• Internal Audit quality Assurance Reviews and Transformation
• Audit Committee Advisory
For more information about Protiviti’s Internal Audit and Financial Advisory solutions, please contact:
Brian Christensen Executive Vice President – Global Internal Audit +1.602.273.8020 brian.christensen@protiviti.com
36 2013 Internal Audit Capabilities and Needs Survey Report
Other Thought Leadership from Protiviti
Visit www.�protiviti.�com to obtain copies of these and other thought leadership materials from Protiviti.
• 2012 sarbanes-oxley Compliance survey – where u.�s.�-listed Companies stand: reviewing Cost, Time, effort and processes
• 2012 iT audit Benchmarking survey
• executive perspectives on Top risks for 2013: Key issues Being Discussed in the Boardroom and C-suite (from North Carolina State University’s ERM Initiative and Protiviti)
• Changes to The iia standards: what Board members and executive management need to Know
• Cloud Computing: internal audit’s role in identifying risks, Defining strategy, evaluating the implementation process and monitoring vendor relationships
• The Bulletin – “Setting the 2013 Audit Committee Agenda”
• guide to internal audit: frequently asked Questions about Developing and maintaining an effective internal audit function (Second Edition)
• guide to international financial reporting standards: frequently asked Questions (Second Edition)
• guide to the sarbanes-oxley act: internal Control reporting requirements (Fourth Edition)
• guide to the sarbanes-oxley act: iT risks and Controls (Second Edition)
• internal audit Capabilities and needs survey (2006-2012)
• internal auditing around the world (Volumes 1-8)
• powerful insights (protiviti’s podcast series)
– Executive Perspectives on Top Risks for 2013
– Benchmarking the IT Audit Function
– Fraud Risk Assessment – Identifying Vulnerabilities to Fraud and Misconduct
– Fraud Risk Management: Safeguarding Your Reputation and Well-Being in Today’s Economic Climate
– Internal Audit quality Assessment Reviews – Required as well as Beneficial
– Perspectives on Sarbanes-Oxley Compliance: 10 Years Later
– Technology-Enabled Audits – Increasing Productivity and Delivering More Timely and Reliable Results
– The Benefits of Outsourcing the Internal Audit Function
– Social Media Use in Companies – Managing the Risks Effectively
• social media and internet policy and procedure failure – what’s next?
• spreadsheet risk management: frequently asked Questions
• Testing the reporting process – validating Critical information
• using high value iT audits to add value and evaluate Key risks and Controls
372013 Internal Audit Capabilities and Needs Survey Report
KnowledgeLeader® is a subscription-based website that provides information, tools, templates and resources to help internal auditors, risk managers and compliance professionals save time, stay up-to-date and manage business risk more effectively. The content is focused on business risk, technology risk and internal audit. The tools and resources available on KnowledgeLeader include:
• audit programs – A wide variety of sample internal audit and IT function audit work programs are available on KnowledgeLeader. These work programs, along with the other tools listed below, are all provided in downloadable versions so they can be repurposed for use in your organization.
• Checklists, guides and other Tools – More than 800 checklists, guides and other tools are available on KnowledgeLeader. They include questionnaires, best practices, templates, charters and more for managing risk, conducting internal audits and leading an internal audit department.
• policies and procedures – KnowledgeLeader provides more than 300 sample policies to help in reviewing, updating or creating company policies and procedures.
• articles and other publications – Informative articles, survey reports, newsletters and booklets produced by Protiviti and other parties (including Compliance Week and Auerbach) about business and technology risks, internal audit and finance.
• performer profiles – Interviews with internal audit executives who share their tips, techniques and best practices for managing risk and running the internal audit function.
Key topics covered by KnowledgeLeader:
• Audit Committee and Board
• Business Continuity Management
• Control Self-Assessment
• Corporate Governance
• COSO
• Fraud and Ethics
• IFRS
• Internal Audit
• IT Audit
• IT Governance
• Sarbanes-Oxley
KnowledgeLeader also has an expanding library of methodologies and models – including the robust Protiviti Risk ModelSM, a process-oriented version of the Capability Maturity Model, the Six Elements of Infrastructure Model, and the Sarbanes-Oxley 404 Service Delivery Model.
Furthermore, with a KnowledgeLeader membership, you will have access to AuditNet Premium Content; discounted certification exam preparation material from ExamMatrix; discounted MicroMash CPE Courses to maintain professional certification requirements; audit, accounting and technology standards and organizations; and certification and training organizations, among other information.
To learn more, sign up for a complimentary 30-day trial by visiting www.�knowledgeleader.�com. Protiviti clients and alumni, and members of The IIA, ISACA and AHIA, are eligible for a subscription discount. Additional discounts are provided to groups of five or more.
KnowledgeLeader members have the option of upgrading to KLplusSM. KLplus is the combined offering of KnowledgeLeader’s standard subscription service plus online CPE courses and risk briefs. The courses are a collection of interactive, Internet-based training courses offering a rich source of knowledge on internal audit and business and technology risk management topics that are current and relevant to your business needs.
38 2013 Internal Audit Capabilities and Needs Survey Report
Protiviti Internal Audit and Financial Advisory Practice – Contact Information
Brian Christensen Executive Vice President – Global Internal Audit +1.602.273.8020 brian.christensen@protiviti.com
AUSTRALIA
Garran Duncan +61.3.9948.1205 garran.duncan@protiviti.com.au
BELGIUM
Jaap Gerkes +31.6.1131.0156 jaap.gerkes@protiviti.nl
BRAzIL
Ricardo Lemos +55.11.5503.2020 ricardo.lemos@protivitiglobal.com.br
CANADA
Carmen Rossiter +1.647.288.4917 carmen.rossiter@protiviti.com
CHINA (Hong Kong and Mainland China)
Albert Lee +852.2238.0499 albert.lee@protiviti.com
FRANCE
Francis Miard +33.1.42.96.22.77 f.miard@protiviti.fr
GERMANY
Michael Klinger +49.69.963.768.155 michael.klinger@protiviti.de
INDIA
Adithya Bhat +91.22.6626.3310 adithya.bhat@protiviti.co.in
ITALY
Alberto Carnevale +39.02.6550.6301 alberto.carnevale@protiviti.it
JAPAN
Yasumi Taniguchi +81.3.5219.6600 yasumi.taniguchi@protiviti.jp
MEXICO
Roberto Abad +52.55.5342.9100 roberto.abad@protiviti.com.mx
MIDDLE EAST
Manoj Kabra +965.2295.7700 manoj.kabra@protivitiglobal.com.kw
392013 Internal Audit Capabilities and Needs Survey Report
THE NETHERLANDS
Jaap Gerkes +31.6.1131.0156 jaap.gerkes@protiviti.nl
SINGAPORE
Sidney Lim +65.6220.6066 sidney.lim@protiviti.com
SOUTH KOREA
Jeong Suk Oh +82.2.3483.8200 jeongsuk.oh@protiviti.co.kr
UNITED KINGDOM
Andrew Clinton +44.20.7024.7570 andrew.clinton@protiviti.co.uk
UNITED STATES
Brian Christensen +1.602.273.8020 brian.christensen@protiviti.com
AsiA-PAcific
AuSTrAlIA
BrisbaneCanberraMelbournePerthSydney
ChInA
BeijingHong KongShanghaiShenzhen
InDIA
BangaloreMumbaiNew Delhi
InDOnESIA
Jakarta**
JApAn
Osaka Tokyo
SInGApOrE
Singapore
SOuThKOrEA
Seoul
* Protiviti Member Firm ** Protiviti Alliance Member
The AmericAs
unITEDSTATES
AlexandriaAtlantaBaltimoreBostonCharlotteChicagoCincinnatiClevelandDallasDenverFort LauderdaleHouston
Kansas City Los Angeles Milwaukee Minneapolis New York Orlando Philadelphia Phoenix Pittsburgh Portland Richmond Sacramento
Salt Lake City San Francisco San Jose Seattle Stamford St. Louis Tampa Washington, D.C. Woodbridge
ArGEnTInA
Buenos Aires*
BrAzIl
Rio de Janeiro* São Paulo*
CAnADA
Kitchener-WaterlooToronto
ChIlE
Santiago*
MExICO
Mexico City* Monterrey*
pEru
Lima*
VEnEzuElA
Caracas*
© 2013 Protiviti Inc. An Equal Opportunity Employer. PRO-0313-101047Protiviti is not licensed or registered as a public accounting firm and does not issue opinions on financial statements or offer attestation services.
euroPe
FrAnCE
Paris
GErMAny
Frankfurt Munich
ITAly
Milan Rome Turin
ThEnEThErlAnDS
Amsterdam
unITEDKInGDOM
London
middle eAsT
BAhrAIn
Manama*
KuWAIT
Kuwait City*
OMAn
Muscat*
unITEDArABEMIrATES
Abu Dhabi* Dubai*